ISO 22301: The Business Continuity Standard Explained Simply

Measuring up to the ISO 22301 business continuity management standard is no small feat. This 30-page document developed by the ISO Technical Committee in 2012 is considered the touchstone of business continuity standards for all types of companies (although there are specialized guidelines such as the FFIEC business continuity program standard for financial institutions or NIST 800 for information technology). If your business continuity program is performing at this level, first of all—congratulations, it’s quite an achievement! More importantly, though, the strength of your program almost guarantees your business will survive a crisis should one ever occur.

The purpose of ISO 22301 is to provide guidelines on how to set up and manage a high-performing business continuity management system (BCMS). It essentially dictates how all the elements of a program should work together to ensure your business can continue operating at its normal level following a disruption, so that you can protect your brand as well as the interests of your key stakeholders (including your customers).

It is one standard among many; in fact, it’s smart for companies to use more than one. (The various standards are somewhat different; the National Fire Protection Act 1600, for example, puts forth more nuts-and-bolts directives than ISO 22301, which measures at a more strategic level.) And how you apply the standard is totally up to you: either use it at its highest level or determine a more moderate approach that still provides an adequate level of protection for your business. That decision will be determined in part by the nature of your business: If your industry is governed by strict legal or regulatory requirements for business continuity, then implement the standard at the highest level you possibly can.

But no matter how you choose to implement ISO 22301 as your preferred business continuity management standard, do so by formally adopting it and making it the basis for the operation of your BCMS. Having a clear understanding among all stakeholders ensures a greater level of commitment—and makes it more difficult to veer off course.

Create a business recovery plan right the first time with this free downloadable guide that includes sample recovery checklists and the four disruptions every company should plan for.

Let’s take a closer look at the 10 main sections of ISO 22301, in layman’s terms.

ISO 22301 Business Continuity Management Standards: 10 Sections

Sections 1-3 Overview

The first three sections of ISO 22301 mainly serve to provide context about the standard itself and its overall purpose. Briefly, they are as follows:

• Section 1, scope, outlines what the standard is and who it applies to. It is applicable to all types of organizations that want to implement a solid business continuity program and ensure conformity to a proven standard.
• Section 2, normative references, are documents that support and clarify the standard (none are listed; you can essentially skip this section).
• Section 3, terms and definitions, explains key terms used within the standards. It’s important to understand them because some may mean different things here than they do elsewhere.

Section 4: Context

The standard really begins here, with how to start evaluating your program. The purpose of this section is to get you thinking about your business and understand—realistically—what it might need in the event of a disruption.

• 4.1—Understand your organization and its unique context. Consider the purpose of your organization, what it does, and your management’s risk tolerance.
• 4.2—Understand the needs and expectations of parties associated with your company, both internal and external. Also be familiar with any specific legal and regulatory requirements associated with your organization and how they impact your BCMS.
• 4.3—Consider the scope of the business continuity management system you’re planning to implement. Define which parts of the organization will be covered by the program and which will not; do the same for people, products, and services.

Section 5: Leadership

A business continuity program is only as good as the level of management support it receives. This section calls your attention to the necessary elements that govern a program and ensures it has the support it needs to succeed.

• 5.1—Is the management team committed to the program? Do they participate in overseeing the process on a regular basis?
• 5.2—Have you established a business continuity policy that governs the program? This sets the framework for the program’s objectives.
• 5.3—Have you defined roles and responsibilities for those associated with the program? Who’s in charge, and what are their responsibilities? Have the roles been officially assigned and communicated?

Section 6: Planning

This section requires you to revisit the issues identified in section four. Understanding your company as a whole is necessary for planning the appropriate strategies and actions.

• 6.1—Identify the risks associated with your company based on what it is and does.
• 6.2—Identify business continuity objectives and create plans to address them.
• 6.3—Make sure the objectives are consistent with the policy you’ve developed. Take into account, for instance, the minimal level of products and services you need to have in place following a disruption.
• 6.4—Outline the parties responsible for carrying out the plan. (Some of this may have been defined in section 5.)

Section 7: Support

This section outlines the building blocks a plan needs in order to work. Something as simple as making sure people know about the plan could make or break its success.

• 7.1 —Define the resources you will need to implement your plans. Consider internal and external resources you will need to have in place on an ongoing basis.
• 7.2—Ensure the parties responsible for carrying out the plan are competent. Do they have the right training, and are they capable of maintaining the program?
• 7.3—Ensure global awareness of the plan. Everyone in the company should know about the plan and their role (if any), including what is expected of them should the plan be carried out.
• 7.4—Define methods of crisis communication, including who is authorized to communicate, what should be communicated, when, and with whom.
• 7.5—Document your plan information. Documentation should be standardized for easy maintenance and regular updating.
• 7.6—Maintain control of your plan information by making sure it is stored properly, secured (so that the right people have access to it), and accessible.

Section 8: Operation

Section 8 is where much of the “meat” of ISO 22301 lies—it tells what you need to do to create a working program.

• 8.1—Define the elements of operational planning and control your company will utilize. Know the processes you need to implement and the criteria behind them (risk assessment, a business impact analysis, etc.).
• 8.2—Conduct a complete BIA and risk assessment. (See our Business Impact Analysis Guide.)
• 8.3—Develop a business continuity strategy.
  • Put plans in place to protect your operations. Determine strategy based on the importance/criticality of a business unit and its recovery time.
  • Identify the resources needed to carry out the strategy—people, information, facilities, transportation, money.
  • Determine controls you will put into place to protect, plan, and mitigate risk.
• 8.4—Develop business continuity management plans for the following:
  • Establish an incident response structure that ensures high-level people in your company can strategically direct the response to an incident and delegate tasks.
  • Implement a warning and communication process. Do you have a way to monitor potential threats for advance warning? (An approaching nor’easter, for instance, warrants special attention.) How will you communicate with internal and external parties about an impending or actual event?
  • Develop thorough business continuity procedures.
• 8.5—Test regularly and consistently according to the scope of your objectives. A highly regulated industry needs rigorous testing compared to other industries.

Section 9: Performance evaluation

Evaluating your business continuity program is the only way to truly know if it will work; are you doing what’s required to measure its performance?

• 9.1—Monitor, measure, analyze, and evaluate your program. Determine what needs to be monitored or measured and the methods you’ll use to do that, as well as how frequently you’ll do it. Set up the right performance metrics to ensure you’re conducting your program properly.
• 9.2—Do an internal audit regularly to show if the system is performing. If it’s not performing as needed, how can you fix it?
• 9.3—Conduct management reviews. Top management should review the system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Typically this is an area where many companies fall short.

Section 10: Continual improvement

You must demonstrate a commitment to continually improving your plan over time, both in resolving outstanding issues and in keeping it up-to-date as your business changes.

• 10.1—If metrics reveal you have problems in the program, identify them and fix them.
• 10.2—Strive for continual improvement.

Want help meeting the ISO standard for business continuity?

Meeting the ISO 22301 business continuity management standard takes discipline, time, and resources—as well as the ability to accurately develop and evaluate effective strategies. The BCMMetrics™ suite of business continuity software can help.

The BIA On-Demand (BIA^OD) tool gives you everything you need to conduct a complete business impact analysis at the company, division, or department level. Compliance Confidence (C²) measures your business continuity program with a series of comprehensive questions and a clear, FICO-like scoring system. And the Residual Risk (R²) tool can help quantitatively identify your residual risk and evaluate it. Each of these tools are aligned with multiple major industry standards—including ISO 22301. They’re easy to use and give you the opportunity to perform unlimited self-assessments of your enterprise BCM program. To find out more about how it works, schedule a demo today.